In an effort to address the increasing threat posed by the malicious use of remote access software, several cybersecurity agencies have collaborated to release a comprehensive guide on securing these tools.
The document was published on Tuesday by the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing & Analysis Center (MS-ISAC) and the Israel National Cyber Directorate (INCD).
According to the guide, remote access software is crucial in enabling organizations to remotely manage and monitor networks, computers and devices. It provides a flexible and efficient approach to IT and operational technology (OT) management, allowing for proactive troubleshooting, maintenance and backup operations.
However, these very capabilities also make it an attractive tool for malicious actors to exploit, potentially compromising the security of businesses and systems.
“Remote access software provides IT/OT teams with flexible ways to detect anomalous network or device issues early on and proactively monitor systems,” reads the document.
“Cyber threat actors are increasingly co-opting these same tools for easy and broad access to victim systems.”
To shed light on these techniques, the guide highlights the common exploitations and associated tactics, techniques and procedures (TTPs) employed by threat actors leveraging remote access software.
These encompass various techniques, such as sophisticated phishing campaigns, social engineering tricks, exploitation of software vulnerabilities and weak passwords.
“RMM software, in particular, has significant capabilities to monitor or operate devices and systems as well as attain heightened permissions, making it an attractive tool for malicious actors to maintain persistence and move laterally on compromised networks,” the agencies wrote.
Additionally, the guidelines emphasize the need for organizations to establish a security baseline and be familiar with the normal behavior of the software to detect abnormal and malicious activities effectively.
Among the key recommendations for organizations is to implement a robust risk management strategy based on established standards and to regularly monitor remote access software using endpoint detection and response (EDR) tools.
The guide also advises organizations to be cautious about the supply-chain integrity of their service providers. Its publication follows a separate effort CISA conducted in January warning network defenders about the malicious use of legitimate RMM software tools.